Remote password management: How to allow users to change expired passwords when outside the domain network and cannot log in to RDP?

Admins enable the Password Expiration Notification feature to remind users of impending password expiration option to ensure that users change passwords periodically. This can help prevent cybercriminals from gaining access to sensitive data, even if they have stolen user credentials. However, remote users' Active Directory passwords expire because:

1. They connect to their corporate network via VPN using cached credentials or initiate only a remote connection (RDP), and are not prompted to change their password.
2. They use Outlook Web Access (OWA) and never log on interactively to see Windows notifications in their taskbar.

As a result, users are forced to call the help desk team for assistance. This is not an optimal solution as it increases the number of help desk calls and reduces employee productivity.

ADSelfService to the rescue: Send password expiration notifications and enable remote password change from a web-browser

ADSelfService Plus' Password Expiration Notifier alerts users about their impending Active Directory password expiration via SMS, email, or push reminders. Harder to ignore than the bubble messages from the task bar, SMS or email password reminders encourage users to change their soon-to-expire passwords immediately from a secure web-portal: ADSelfService Plus end user portal.

ADSelfService Plus supports sending multiple reminders at specified intervals to have your users proactively change their passwords before they expire. Admins can also send customized password expiration messages to different sets of users based on their OU and group membership.

How to configure password expiration notification in ADSelfService Plus?

1. Go to Configuration > Password Expiration Notification > Add new notification.
2. Select the domain, notification type, notification medium, and enter the scheduler name.
3. Configure the notification frequency. For instance, admins can choose to send a password expiration alert seven days before the password expires; then send a second reminder five days before expiration; a third, three days before expiration; and a fourth and final reminder a day before the password expires.
4. Click Save.

Active Directory user password expired: What now?

If users don't change their passwords despite receiving the notifications, ADSelfService Plus empowers them to change their Active Directory password from any web-browser, from anywhere, at any time. This means, ADSelfService Plus also remotely updates the cached password stored in users' machines.

How to enable Password Change in ADSelfservice Plus?

1. Go to Configuration > Self-Service > Policy Configuration.
2. Select Change Password.

   

3. Click Select OUs/Groups to granularly select which set of users need to be allowed to change their passwords.

Other notable highlights of Password Expiration Notifier:

1. Account expiration notifier: Notify Active Directory users about their impending account expiration.
2. Compliance: Helps comply with PCI DSS and HIPAA regulations.
3. Advanced reports: An overall summary of all the notifications sent to users will be emailed to your admins and managers to identify potential problems and resolve any issue before they arise.